Microsoft finds new computers in China preinstalled with malware

The company said the malware was embedded inside counterfeit versions of its Windows OS

Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday.

The malware, embedded in counterfeit versions of Microsoft's Windows OS, is engineered to spy on users and conduct denial-of-service attacks, Microsoft said. It warned that the findings pose fresh questions over the integrity of computer-part supply chains.

Cybercriminals "are out to get you," said Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit. "They will do whatever it takes. If the supply chain is how they're going on get on [computers], that's what they're going to do."

Microsoft's investigation, dubbed "Operation b70," culminated with the shutdown of the command-and-control system connected to computers infected with "Nitol," a piece of malicious software called a rootkit preinstalled on some of the examined computers. Nitol quickly spreads via removable drives.

The company had led an aggressive drive against counterfeit software and botnets to try to stop the source of cybercriminal activity, much of which is targeted at Windows users due to the high use worldwide of the company's operating system.

Company investigators had Chinese nationals purchase 20 laptop and desktop computers from so-called "PC malls" in various Chinese cities. All of the machines had counterfeit copies of Windows XP or Windows 7, Boscovich said. Three computers contained inactive malware, but a fourth had a live piece of malware, "Nitol.A," that awoke when the computer connected to the Internet, he said.

The laptop was manufactured by Hedy, a large manufacturer based in Guangzhou, China, and purchased in Shenzhen. The other three computers with inactive malware were from "major manufacturers" but Microsoft is not identifying the brands, Boscovich said.

It is believed that the computers became infected after the devices left the factory. In China, many computers ship with just DOS, and an operating system is installed later. "Somewhere in that retail or wholesale supply chain, something happens," Boscovich said.

Consumers in Western countries may not be vulnerable to the kind of tampering, but they do face risks if they download counterfeit software from the internet, Boscovich said.

The malware discovery led to a larger investigation into the Nitol botnet, which was controlled through the domain "" The domain has been linked to malicious activity as far back as 2008, Boscovich said.

The domain contained more than 500 strains of malware hosted on some 70,000 subdomains, Boscovich said. The malware hosted is capable of a range of malicious functions, from turning on a computer's microphone and video camera to logging keystrokes, according to a Microsoft blog post.

Microsoft obtained permission on Sept. 10 from the U.S. District Court for the Eastern District of Virginia to take control of the domain. The company filed a civil complaint against Peng Yong, who owns the domain and his company Changzhou Bei Te Kang Mu Software Technology, also known as Bitcomm, and three other unnamed defendants. A hearing is set for Sept. 26.

Boscovich said Microsoft would like Yong to identify those people who have registered the malicious domains, as only he would hold that information since the websites are subdomains. "We are trying to reach out to him now," he said. "We are not necessarily alleging he is the one running the botnet."

Microsoft now controls Since the domain also hosts legitimate websites, Microsoft is using DNS (Domain Name System) software from Nominum that will allow legitimate traffic to subdomains of but halt traffic to the 70,000 hosted websites that are harmful, a process known as "sinkholing."

Using the DNS in this way is a new, state-of-art approach, said Craig Sprosts, general manager for fixed broadband for Nominum, which provides DNS services for service providers including Verizon, Comcast and BT. The advantage is that websites that aren't doing anything illegal will continue to run.

"This operation is somewhat unique," Sprosts said. "There have been domain take downs, but this one was kind of surgical strike."

As far as the infected computers, Microsoft will notify ISPs who have infected customers, which then can take action to cleanse the computers of malware.

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place